World’s boldest cyber criminals: how US intelligence is hunting Russian hackers down

Since the beginning of 2010, US special services have arrested at least ten Russian hackers in different parts of the world. Some of them are already in American prisons, others are waiting for a verdict; one of the hackers was released and came back to Russia.

Dmitriy Smilianets (Bold), July 12, 2011Photo: Moscow Five / YouTube

Dmitriy Smilianets (Bold), July 12, 2011Photo: Moscow Five / YouTube

The Russian Foreign Ministry refers to such arrests as "abductions." Russian hackers are regularly accused of "the biggest attacks" in history and damage worth hundreds of millions of dollars, while most of them have ties to Russian special services and authorities. Meduza’s special correspondent Daniil Turovsky reveals four stories about the hackers the US intelligence managed to hunt down.

Roman Seleznev

On the morning of April 28, 2011, the Jamaâ El Fna Square in the center of Marrakech (Morocco) was as crowded as ever: passers-by bustled among cars, market tents and street cafes. Among them was Roman Seleznev, a strong man who usually wears a three-day stubble. A few minutes before that, Seleznev had been told to wear a suit before he could be admitted to the hotel restaurant for breakfast. Since he did not have a suit, he and his wife went to the nearest cafe. The waiter said that he could serve them in 30 minutes. The couple agreed to wait, and the waiter mysteriously replied: "Bad idea." When he brought a glass of orange juice to the Seleznevs, an explosion thundered in the cafe.

After some time, Seleznev regained his senses, but for a little while. White smoke was pouring from the cafe. Most of the building was destroyed. Bodies covered in blood were all around. As it turned out later, the terrorists had left two briefcases with explosives in the cafe and blew them up with a mobile phone, killing 17 people. The Moroccan authorities blamed the attack on Al-Qaeda, but the organization refused to take responsibility for the explosion.

Seleznev survived, but fell into a coma. Doctors told his wife (who remained relatively untouched) and his father who had come to Marrakesh that he was very unlikely to survive, and if he would, he would then become a "vegetable for life". His father, Valery Seleznev, a State Duma deputy from the LDPR, arranged his son’s transportation to Moscow. There he asked a priest to the hospital who baptized Seleznev without his knowledge. While he was in a coma, a letter came from the King of Morocco, Mohammed VI. "The people of Morocco were horrified and saddened to learn that you were injured," it said.

About two weeks later, Seleznev recovered from the coma. It took him about a year to recover completely; a part of his skull was replaced by a titanium plate through numerous operations. He and his wife got divorced, she moved to live in the US.

This is how Seleznev recalled the terrorist act several years later. The incident is far from the most surprising twist of his biography.

nCux from Vladivostok

Seleznev was born in Vladivostok in 1984. When he was two years old, his parents divorced. Seleznev remembers that at first he and his mother lived in a room measuring 10 square meters; then she bought an apartment from her brother. His mother worked a cash register in a local store and was a drinker; most of the time Roman was alone. He began to study programming on his own; at the age of 16 he entered college, where he studied mathematics and computer science. Once, upon returning home in 2000, he discovered that his mother had drowned in the bath. Her brother came the same day, took all the valuables and told Seleznev to get out. The teenager went to live with his grandmother and got a job in a computer club that paid $5 for a 24h-work.

Roman Seleznev with his girlfriend Anna Otisko and her daughter, July 11, 2014

Roman Seleznev with his girlfriend Anna Otisko and her daughter, July 11, 2014

Seleznev’s case file indicates that at the age of 18 his interest in programming grew into first hacker attempts. He made them under the name nCux, where the Latin letters could be read as a Russian word for "psycho". Seleznev registered on some clandestine forums of carders: those who made money stealing bank cards (for example, carderplanet.com and carder.org). Initially, he hacked databases to steal documents (names, dates of birth, passport and social security numbers) and after a couple of years he started stealing credit card numbers and selling the databases to other carders.

Seleznev hacked processing systems of small businesses in the US, through which all financial transactions went. He used vulnerabilities to infect the system and copy all operations on the cards; the information was then collected on the servers belonging to the hacker. By 2009, Seleznev had become one of the most prominent sellers of stolen cards in the world.

Small snack bars in Washington and other US cities were his favorite targets. The criminal case mentions several pizzerias, street food and burrito joints, bakeries (about 3.700 enterprises in total). Seleznev used small businesses because of their poor security: such enterprises do not have their own cyber security departments, they usually use bad passwords.

The US special services began to watch Seleznev in 2005. In May 2009, FBI agents met with FSB officers in Moscow. The Russians gave the Americans some evidence proving that Roman Seleznev from Vladivostok was the identity behind the nCux. A month later, in June 2009, nCux announced to the forum that he was leaving the business, after which his forum accounts were deleted. The criminal case states that it was the FSB that told Seleznev the American authorities were after him. The hacker’s emails confirm that he did keep in touch with the FSB. He texted to one of his accomplices that he had protection in the FSB Information Security Department. He also said that the FSB knew who he was and what he did.

Meduza’s source related to cyber security claims that Russians hacking foreign systems are almost never punished: they are more often involved to work for the state. All Russian hackers know the saying: "do not work on Ru" (that is, you cannot attack Russian banks and companies while in Russia). Another Meduza’s interlocutor said: "there is a widespread scheme to attract illegal hackers and to encourage them." Meduza has had a comprehensive report on the connections between Russian special services and hackers. The New York Times wrote that while one of the most wanted Russian hackers, Evgeny Bogachev (Zeus), was infesting millions of computers to steal money, "the Russian authorities were looking over his shoulder, searching the same computers for files and emails" with classified information about Ukraine and Syria.

 

Having deleted his former nickname, Seleznev soon began to use the names Track2 and Bulba. Soon he brought his business to a new level. In September 2009, he opened an online store of stolen cards. It looked almost like Amazon: one could search by categories, choosing between brands of cards or financial organizations. US authorities believe that Seleznev re-invented the carder market, since previously, stolen cards had appeared on separate forum threads, while now the process of stolen data exchange is optimized and automated. One April day in 2011, about a million new cards appeared in Seleznev’s store. A couple of weeks after that, he flew to Morocco and almost died in an explosion. While the man was being treated, his accomplices continued to work on the project, before closing it in January 2012.

Arrest in the Maldives

After leaving the hospital, Seleznev took himself the nickname 2Pac. He created another online store - other hackers could sell stolen goods there. Then he launched a website where it was possible to find basic instructions on how to steal bank data and use it. At the top of the site was an ad in English: "Here I'll explain how to make money. From $500 to $50.000 and even $500.000. Remember, this is an illegal way! The whole process from beginning to end." In the first month, June 2014, it was visited by 3500 people. 

Seleznev earned millions of dollars. It is known that only through one of the services for the transfer of money, he received about 18 million. His exact earnings are unknown - the hacker received money through bitcoins, webmoney and other electronic wallets. He bought two houses in Bali, flew by plane from Vladivostok to the islands in the Indian Ocean. He often photographed bundles of money and expensive cars. He has a photo next to a sports car against the backdrop of St. Basil's Cathedral - almost the same as that of another arrested Russian hacker Yevgeny Nikulin (he was detained in Prague in October 2016, accused of hacking LinkedIn, Dropbox and other services, Nikulin claimed that he was required to admit that he had hacked Hillory Clinton's mailbox on the orders of Vladimir Putin).

Realizing that he could be tracked by the FBI agents, Seleznev traveled carefully. He chose countries in which there was no extradition to the United States, and bought tickets at the last minute to prevent intelligence services from monitoring their movements.

In July 2014, he went to the Maldives, where he rented a villa for 1400 dollars a day. "I took the most expensive villa, I have my own servant," he wrote to one of the accomplices.

Learning that Seleznev is in the Maldives, FBI agents asked the US State Department to use their connections with local authorities. Bloomberg described in detail how Seleznev's arrest was organized. After the talks, the head of the country's police agreed to detain the hacker, despite the absence of an extradition treaty. According to the publication, two FBI agents flew to the Maldives from Hawaii. Together with the police, they monitored Seleznev's movements. When he went to the airport, where he was due to fly to Moscow, he was detained. Hacker was put on a private plane and in 12 hours they brought to Guam, where the American military base is located.

According to the criminal case, Seleznev had a laptop with data on 1.7 million stolen credit card numbers, as well as passwords for access to servers, mail accounts and financial transfers.

After Guam Seleznev was transferred to Seattle. There he stated that the FBI agents were beating him. The agents responded that Seleznev was allowed to smoke and use cutlery. The court rejected Seleznev's claim.

The Foreign Ministry called Seleznev's arrest a kidnapping and "another unfriendly move by Washington." The father of Seleznev proposed imposing economic sanctions against the Maldives. He told that Roman was carried on eight armored cars, changing them on and off. "They made him some kind of internet bin Laden," the parliamentarian said.

A month after the arrest, a message appeared on the forum 2pac: "We apologize for the lack of updates. The boss got into a car accident, he's in the hospital."

The prosecutor said that Seleznev is the most serious cybercriminal ever brought to justice. He was described as a person with extraordinary computer skills, who returned to cybercrime several times, "increasing the scale of attacks". The damage from his actions was estimated at $170 million. The prosecutor even compared the Russian with Tony Soprano - the main character of the series The Sopranos.

"His arrest is a rare victory in the fight against Eastern European cybercriminals, the prosecution maintained. - Many hackers live in Russia, which does not extradite criminals to the United States. If Seleznev is released, then, given his links with Russian law enforcement agencies, he will act at home with impunity."

Before the verdict, Seleznev admitted his guilt. Before that, he refused to cooperate with the investigation and delayed the process. In the criminal case there is a transcript of his telephone prison conversations with his father. They discuss the "Uncle Andrey variant" - delaying the consideration of the case, at which Seleznev first becomes ill, and then ceases to communicate with lawyers. It worked: before the hearing the defense filed a notice of withdrawal from the case because of disagreements with the client; the meeting was postponed to November from May 2015. The transfer of the case led to additional costs due to the fact that witnesses in the case had already flown to court in Seattle from Sri Lanka, Honolulu and Chicago.

Before the verdict, he wrote a letter to the court by hand, in which he briefly retold his biography, telling that he had contacted the criminal world because of his difficult childhood. "I tried to find a job on the Internet, and everything went downhill," Seleznev said. "I chose the wrong path - I hacked into computers for thievery."

The verdict to Seleznev was taken in April 2017 - when the story of the alleged interference of Russian hackers in the presidential elections in the US has been one of the main topics in the American media for several months. He was sentenced to 27 years - the longest period that has ever been given in the US for cybercrime. "I am a political prisoner. I am a tool for the US government," Seleznev said after the verdict. "They want to send a signal to the whole world, using me as a pawn. In light of my head injury, today's sentence can be considered fatal." His father called the decision "a sentence of cannibals." In September 2017, Seleznev admitted the charges upon two more counts - they caused a loss of about $52 million.

Bold for Mother Russia

On March 22, 2012, the head of the most successful Russian cybersport organization of those years Moscow Five Dmitriy Smilianets (Bravy - Bold) announced that the team has a curator - businessman and dollar billionaire Sergey Matvienko (son of Valentina Matvienko, the Federation Council speaker). He said that the negotiations with Matvienko were held in parallel with the victories of the Moscow Five team in the League of Legends in the World Cup final (Meduza spoke in detail about the Russian teams in LOL). On the Moscow Five website, a joint photo of Smilianets and Matvienko appeared: Smilianets dressed in his blue Adidas sweatshirt, Matvienko's son is sitting next to a buffalo stuffed animal.

Dmitriy Smilianets (right) along with Sergey Matvienko (at the center), May 10, 2012

Dmitriy Smilianets (right) along with Sergey Matvienko (at the center), May 10, 2012

Judging by the social networks, Smilianets was fond of politics and communicated with Russian public figures. In March 2012, when presidential elections were held, he posted a photo of the ballot paper with a tick for Vladimir Putin. He signed the photo: "I'm sure! For a strong leader!" After a while he laid out a photo from the round table with representatives of the Presidential Administration, where "issues of e-sports in Russia" were discussed. In another photo there was a Russian flag, on top of which was a quote from a hymn: "Our loyalty to the Fatherland gives us strength."

Before each competition Smilianets publicly appealed to God. "Lord, help us win the Intel Extreme Masters in Hanover. We fight for the honor of Moscow, for Mother Russia!" he wrote in March 2012. Then he posted the picture Blessed Morning in Moscow, which, he said, was given the Moscow Five by artist Nikas Safronov, who usually writes Russian politicians and celebrities.

In 2003, according to Bloomberg, Smilianets met Vladimir Drinkman when they played Counter-Strike on the Internet. Smilianets in these games often cheated, using cheat codes. Soon they met. Drinkman said that they became friends - Smilianets was one of the people with whom you can drink vodka or go fishing.

Drinkman grew up in Syktyvkar, from the school was fond of computers, independently learned the C++ programming language, and worked as a system administrator at the university. Smilianets was born in Moscow, where he graduated from the Department of Information Security at Bauman University. In the self-description on his Twitter, he reported that he was interested in geopolitics, e-sports and information security.

According to the criminal record, since 2005, buddies have begun to hack computer networks of financial companies, payment systems and stores, gaining access to credit card data. Smilianets was responsible for their resale - the cards went for 10-50 dollars apiece depending on the country of origin. They intruded the Nasdaq exchange, 7-Eleven supermarkets, French Carrefour network and other large companies. Over the next ten years, according to the prosecution, they stole about 160 million credit cards and caused damage of 300 million dollars. Hacker Albert Gonzales pointed the finger at Drinkman to the American intelligence services; already through Drinkman they went to Smilianets. Gonzales himself is already serving a 20-year prison term - for stealing 130 million credit cards.

Arrest in Amsterdam

In July 2013, the special services found a photo in the Smilianets’ Instagram account, on which he was posing in a hoodie with the coat of arms of Russia against the background of the inscription I Amsterdam in the center of the Dutch capital. After that, the Americans phoned all the hotels nearby; in one of them they were told that Smilianets really lived in a hotel, but now he was asleep. The next morning the detectives arrived at the hotel. It turned out that Smilianets took two numbers. In the next was Vladimir Drinkman, the location of whom the special services did not even guess.

By the last post in VKontakte before the detention, Smilianets published a photo of the cyber sportsmen with a signature: "The property of the electronic sport of Russia. Only agents of the CIA and MI6 could run down him." After the arrest Smilianets was called ‘the godfather of eSports’, and a column on Sports.ru appeared stating that "now everyone understands how Bravy has earned money for the maintenance of the teams."

Smilianets’ father, Moscow lawyer Viktor Smilianets, believes that any evidence does not support his son’s guilt. According to him, when detained Smilianets had no computer - the main potential evidence. "The amount of Smilianets inflicted on banks and other financial institutions is more perplexing, figures are incredible," Smilianets Sr. wrote. "Americans like to draw astronomical figures and thereby write off billions of dollars of debts."

Later the investigators reported that there were three more hackers in the grouping - two Russians and one Ukrainian; they could not be caught.

Smilianets almost immediately agreed to extradition to the United States. There he was put in jail in New Jersey, where he began to spend his term learning Spanish and Chinese. Drinkman fought against extradition for two and a half years. He told Bloomberg that he had read George RR Martin's Song of Ice and Flame in the Dutch prison. He gave the interview in a psychiatric hospital, where, according to the lawyer, the hacker was taken after the Netherlands agreed to his transfer to America.

In September 2015 Smilianets and Drinkman pleaded guilty. The verdict was postponed several times. Now the announcement is scheduled for September 22, 2017. They face 25 and 35 years of prison, respectively.

Nikita Kuzmin

YouDo founder with cabriolet

By 2009, 25-year-old Nikita Kuzmin succeed both in public business and underground hacking. He became a co-founder of YouDo company and wrote about its launch in Roem.ru. At that time, the service did not specialize in consumer services, as it is now, but was a platform for order of advertising campaigns. Kuzmin found oot that cyber security specialists paid attention to the hacks he had committed; they began to investigate thetrojan virus, which Kuzmin had been developing for several years and earned hundreds of thousands of dollars.

Kuzmin was adopted by musician Vladimir Kuzmin. "Nikita has his own father, I just brought him up," the singer said in 2010. “He became a businessman. Perhaps he followed his father’s footsteps, whom he had never seen in his life." In 2016, the singer denied his family ties with the hacker: "He is not my son, it's a mistake."

"I had my son from my lover!”- told mother of the hacker Tatyana Artemyeva. “Now he lives in America, a real computer genius, he regularly sends me money. I remember how Volodya came to meet Nikita's father. I will not tell the name of this man. Kuzmin shook his hand, wished him luck, and I gave him the keys to a rented apartment."

Materials of the criminal case Kuzmin say that he studied at two technical universities, where he received "advanced computer skills." The source of "Meduza told that Kuzmin graduated from the Information Security Department of the Moscow University named after Bauman.

Nikita Kuzmin

Nikita Kuzmin

Nikita Kuzmin had access to the Internet in prison: for example, he posted this photo in his Facebook page a year before the verdict, April 8, 2015

In the mid ‘00s, Nikita Kuzmin began hacking ICQ: he stole an account from an owner and demanded money for its return. This way, the hacker earned about 20 thousand dollars. He got access to the password and login database of one of the financial organizations. For several years he had been withdrawing money from banks throughout the world. He earned only about 50 thousand dollars. Kuzmin periodically bought different hacker software for stealing money from bank accounts in the US and Australia, but the programs often did not work, and so he decided to make his own.

He hired a programmer, who made up the bank Trojan - Gozi for ten months on the project of Kuzmin. Kuzmin paid about $ 20.000 for this work

He started promoting his work under the nickname ‘76 service’. The program was not just a virus, but actually a B2B-software for criminals without hacking skills. He rented the program to other hackers – Gozi could be used for $ 2000 during 2 weeks and be set up for necessary purposes.

The program sent infected pdf documents to victims. After the infection, Gozi downloaded a virus to a computer that collected all the secret banking information, including passwords and logins. This information was passed to the owners of Gozi (later investigators will find a server that stored about 10.000 passwords to bank accounts, they belonged to about 300 companies, including NASA. In total 40.000 computers were attacked by hackers in the United States). Gozi's customers could access to this information through a user-friendly interface. The US authorities estimate еру damage caused by hackers at about 50 million dollars.

In 2010, the FBI agents started search for the Gozi’s creators. By that time, they had already studied the trojan, found the IP addresses tha hackers used for their attacks. Special services received permission to intercept correspondence of an unknown Russian hacker. Some of them are in the materials of the criminal case.

"Why do you need Zeus? Use my trojan. Mine is much cooler,"- wrote the hacker.

"How much will it cost me?" - answered the unknown.

"2k per month, all inclusive. And I have a botnet and a convenient admin."

Other reports show he paid for publication of his girlfriend’s photo in the Russian Playboy as a gift and drives around Europe on a BMW 6-Series.

From the intercepted correspondence it is clear that he offered a client to pay for the program by transferring money to his account in Alfa-Bank on to the name of Nikita Kuzmin. The special services also identified the hacker’s mail address nikita@youdo.ru. The Americans also studied Kuzmin's account in Odnoklassniki and found photos showing the hacker standing next to the BMW 6 Series, the same that he rode in Europe. 

Arrest in San Francisco 

November 19, 2010 Kuzmin wrote in a chat: "I'll go from Thailand and get lost somewhere there." November 22, 2010: "In Bangkok." November 27, 2010, he was in San Francisco on business, not thinking about a possible arrest. At the airport, he was immediately detained, then arrested and transported to a New York prison.

When this became known to other hackers, they panicked. One of the users of the program, developed by Kuzmin, wrote: "Everyone who dealt with the ‘76 team’, take measures, change contacts, behave carefully in forums, don’t leave the country without special need, or ******." Another user wrote: "Nikita talked a lot about himself, testified against his partners ..."

At first, Kuzmin faced 97 years of imprisonment. Prosecutor of the Southern District of New York Prith Bharara represented the prosecution in Kuzmin's case, New Yorker called him "Thу Man Who Terrifies Wall Street" (in March 2017 the White House fired Bharara). He pointed out that the virus "Kuzmin made up for those who do not have advanced computer skills." "Unlike most [cyber] crimes, Kuzmin's crime - spread and use of the virus - can not be solved only with capture of the creator. He sold the Gozi code to others, and it can be used further, " the prosecutor explained.

In May 2011, Kuzmin signed an agreement with the investigation on cooperation and began to testify against his accomplices. After that, Denis Chalovskis was arrested in Riga, Jonut Paunesku was arrested in Bucharest.

Kuzmin was defended by lawyer Alan Futherfas, who also was a lawyer of the son of President of the United States, Trump Jr. (before that he defended clients associated with the mafia, and with Trump Jr. he began to cooperate after it became known about Trump's meeting with Russian lawyer Natalia Veselnitskaya, who allegedly offered him compromat on Hillary Clinton). The case of Kuzmin was being considered for a long time, meetings were regularly postponed.

In prison, Kuzmin, apparently, had access to the Internet. In 2011, he was able to sell his stake in YouDo; in 2015 he updated a photo on Facebook; two months before the verdict he left comments on the Roem website. For example, on March 7, 2016, he participated in a discussion on the presidential administration's initiative to provide the tax service with information about all purchases of the Russians abroad. "It’s a sensation!" - said Kuzmin.

The verdict was read out to the hacker on May 2, 2016. He was sentenced to 3 years in prison and a fine of 7 million dollars; by that time, he had already spent five years in prison. Kuzmin returned to Russia. The prosecution requested a period of two times more, but the court took into account Kuzmin's cooperation with the investigation.

Facebook page of Kuzmin shows now he is engaged in the Binomo trading platform and travels a lot. He was in Vienna, Amsterdam, Kiev, Abu Dhabi, Sochi, the Pluthoran Plateau.

Meduza met with Nikita Kuzmin in St. Petersburg, where he lives now. He refused to tell about himself, saying “it’s not the time”.